Privacy By Design for Associations

Jan 11, 2019 11:12:28 AM

Kim Estep


Screen Shot 2019-01-10 at 10.21.30 AM



When associations first joined the internet revolution in the late 1990s and early 2000s, few executives could have predicted the revolution that would take place over the coming decades. This revolution affected countless industries that had been accustomed to sharing information in secure ways, using the postal service to send printed newsletters and relying on members to attend national conferences.



Privacy did not need to be designed into the system. The membership database lived on a single computer that was locked behind a closed door inside the association’s headquarters. Illegally accessing the database could only be accomplished by stealing the computer or copying the contents of the drive on floppy discs and physically removing the discs from the premises.


In 2016 the Cambridge Analytica scandal showed the world how easy it was to trick customers into giving up private information. Many Facebook users had opted-in to a quiz but had not read the fine print of the privacy policy. The result? Their private data was shared by advertisers, including the presidential campaigns. Many people believe Donald Trump would not have won the election had his team not been able to so personally reach voters on the Facebook platform.


This all could have been prevented if Facebook had been built with privacy in mind. Back in 2010, a software initiative was created in Europe, called “Privacy By Design.” Its seven foundational principles for software design were as follows (source: Wikipedia):


1. Proactive not reactive; preventative not remedial: anticipates privacy-invasive events, does not wait for risks to materialize;

2. Privacy as the default setting: no action is required by the individual to protect their privacy;

3. Privacy is embedded into the design: not an add-on bolted onto existing systems;

4. Full functionality – positive-sum, not zero-sum: no tradeoff of security vs privacy, win-win for all parties;

5. End-to-end security – full lifecycle protection: from initial introduction to the system through the individual’s lifecycle, including the right to be forgotten;

6. Visibility and transparency – keep it open: all stakeholders are operating in accordance with stated promises and objectives, and component parts remain visible and transparent to both users and providers;

7. Respect for user privacy – keep it user-centric: the interests of the individual are paramount.


Association execs and event organizers have begun to ask themselves: what’s the risk to our organization of a large-scale data breach? Is our software and are our systems PYD? (=Private By Design). How about the companies we partner with to do our marketing, register our attendees, and maintain our membership database?


The Convention Nation team has conducted quite a bit of research and has discovered security issues that execs should be made aware of. For many events, privacy and security is a facade. The organizer’s intentions are good, but glaring holes exist that leave attendees’ privacy unprotected.


In follow-up blogs, we’ll discuss the implications of social media posts, print badges, registration systems, website content, room blocks, and catering lists on your customers’ security.

 But if you can't wait because you're concerned about the privacy settings in your systems, feel free to contact us right away.

Let's Talk About Privacy. 





Connect with us!

Recent Posts